Hi Andrew, I really thought I'd published my ossec Puppet module but it's not in the forge, I'll need to dig into this later, however it's on github if you want to take a look.
It sounds like you've put in a bit of work but, FWIW, my module will cover nearly all aspects of ossec's client and server configurations from passing around the client keys between client and server, can set all configuration options, alert definitions, syscheck options, localfile opts, etc, etc. It supports SUSE and Redhat but adding support for other systems would be trivial, all you need it an ossec package to install. https://github.com/deadpoint/ossec -- Later, Darin On Thu, Oct 9, 2014 at 7:05 PM, Andrew Wood <mongolsamu...@gmail.com> wrote: > I'm working on a puppet module for managing ossec. I'm pretty new to this > software but I've spent a good part of the last two weeks digging through it > and I'm starting to understand it. However, I have some questions I can't > seem to get answers to on the wiki, so I'm hoping to find some answers here. > I'm also interested in any feedback from more experienced users about the > design of this puppet module. > I started with this module: https://forge.puppetlabs.com/jgazeley/ossec > It doesn't seem to have any support for managing agent files however, > besides what's already built into ossec. I need to be able to support a > pretty diverse infrastructure across multiple platforms, so I need to be > able to enable and disable system audit rules (among other things) on a > per-host and per-role basis. > > My current question is, can someone tell me what /etc/shared/merged.mg is, > how it's generated, and what it's used for? > > I may find further questions, which I'll add to this thread. I'm also > interested in hearing from anyone who would be interested in using a puppet > module like this, or who has suggestions for the best approach to mass > deployment and configuration of ossec infrastructures. > > For anyone who's interested in this project, here's a list of what my needs > are (and what my module is intended to support): > - Inheritable puppet resources to add or remove items to/from the rootcheck > and system audit rule files (e.g. remove samba audit from servers with file > server role, add additional ssh sanity checks to root bastions, etc.) > - Automatic, intelligent agent registration to ossec server > - Automatic updating of rootcheck rules (probably by pulling the latest > release tarball from source, pulling out the files in question, and much > sed/diff) > - Centrally generated and deployed audit rule files using puppet and ossec > master > > Things I don't intend to work with: > - Log monitoring (I already have logstash/kibana and nagios, so this isn't a > high-value feature for me) > - Active response (I have other solutions in place for some of this. I would > like to play with it eventually, but it's not a priority for me yet) > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
